In my last post, I complained about the approach Qantas has taken to password security for its new Qantas Cash website. When I called Qantas to express my concerns, my query was referred to the “technical team”. I was assured they would be able to assuage my concerns. Here is the email response I received:
As I’m sure you’ll understand, we cannot discuss in any depth the security protocols and practices of our products.
However, I can assure you that your password is stored and encrypted on our server, is never transmitted and cannot be viewed by anyone.
The reason we use random ordinal characters rather than full password entry is because it is more secure as it makes harvesting passwords using keylogging software a much more challenging task.
Thank you for taking an interest in the product and we are certain you’ll find the site, the card and the product as a whole, a secure and useful addition to your payment options.
I tried to dig a little deeper, asking whether individual password characters were hashed. This did not help:
Thank you for your email. Your previous question has been queried with our technical team. They have advised that we cannot discuss in any depth the security protocols and practices of our products.
I am far from reassured. Security through obscurity is a poor strategy. Knowing how an effective security practice works does not make it weaker. Quite the contrary: the best security practices are well-known and have been tested and retested and have survived unscathed. The ones that do not pass these tests are discarded. If Qantas is keeping their security methods secret, it simply heightens my fear that they have been devised by web developers who are not experts in security and are vulnerable to attack.
Qantas and I are approaching the question of security very differently, with different threat models. Qantas is focused on preventing me from doing something silly that could compromise my account. Whereas I am worried about Qantas being hacked.
Only a few weeks ago, Adobe was hacked and up to 150 million encrypted passwords have been made public. Their encryption methods were weak (no salted hashing!) and password hints for all of the accounts were also leaked. Enthusiastic hackers are quickly reverse-engineering the passwords.
The same thing could happen to Qantas. If it does, and Qantas is moved to offer a heartfelt apology to their customers, I will not be too upset: I will not be one of those customers.